Zande Africa Proprietary Limited (“Zande”/”the company”) provides logistics and credit related services in the retail and wholesale fast moving consumer goods distribution space throughout the Republic of South Africa. As part of its operations, Zande collects information and data from various stakeholders including customers, creditors, debtors and suppliers. The Protection of Personal Information Act 4 of 2013 (“POPI Act”) imposes obligations on Zande to among others manage and safeguard confidential information provided to it by various stakeholders.
Zande is committed to protecting confidentiality of information received from the stakeholders and ensuring that it is used appropriately in accordance with applicable laws. This policy document sets out the manner in which Zande manages stakeholder information and the use of such information.
The purpose of this policy document is to enable Zande to:
- comply with the laws applicable for the protection of client confidential information
- protect the privacy of client confidential information
- ensure that client confidential information is handled in a secure and transparent manner
- implement good business practice that is prescribed and regulated by law
- set out specific guidelines and general good behaviour for Zande’s personnel in the management of client confidential information
Terms used in this policy document shall unless where defined or where the context indicates otherwise, have the same meaning ascribed to them in the POPI Act.
- Client includes a customer, creditor, debtor, supplier and other parties who provide Confidential Information to Zande from time to time;
- Confidential Personal Information refers to any non-public personal information provided to Zande by the Clients from time to time;
- Personal Information is any information that can be used to reveal a person’s identity. Personal information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (such as a company);
- Information Officer refers to an employee of the company duly appointed, such party is responsible for the company’s compliance with the provisions of the Act, POPI Act.
- POPI Policy or Policy refers to this policy document and any amendment or replacement documents;
- Services means the services provided by Zande from time to time including logistics and credit services;4
- Application of Policy
- This policy and its guiding principles applies to:
- The company’s governing body (such as the board and its sub-committees)
- All branches, business units and divisions of the company
- All employees and volunteers
- All contractors, suppliers and other persons acting on behalf of the company
- Personal Information
Zande only collects Confidential Personal Information that is reasonably necessary to provide the Services to its Clients. Such information includes but is not limited to the following:
- race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person;
- the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person.
- Information Management
Failing to comply with POPI Act can potentially damage the company’s reputation or expose the company to a civil claim for damages. The protection of Personal Information must therefore be undertaken by all the company’s personnel. The company, Zande, will ensure that the provisions of the POPI Act and the guiding principles outlined in this Policy are complied with. However, the company will take appropriate sanctions, which may include disciplinary action, against individuals who through their intentional or negligent actions and/or omissions fail to comply with the principles and responsibilities outlined in this Policy.
Zande must, through the information officer, determine which information from Clients forms part of POPI Act-protected information and what Zande’s duties and responsibilities are with regards to such information.
Zande will abide by the provisions of POPI Act sections 9,10, 11 and 12 in processing information received from Clients.
Zande will obtain written consent from Clients where appropriate, and where consent is given orally a recording of such consent must be kept.
The company will ensure that Personal Information under its control is processed:
- in a fair, lawful and non-excessive manner, and
- only with the informed consent of the Client, and
- only for a specifically defined purpose.
The company will inform the Client of the reasons for collecting his, her or its Personal Information and obtain written consent prior to processing the information.
Alternatively, where services or transactions are concluded over the telephone or electronic video feed, the company will maintain a voice recording of the stated purpose for collecting the personal information followed by the Client’s subsequent consent.
The company will under no circumstances distribute or share Personal Information between separate legal entities, associated institutions (such as subsidiary companies) or with any individuals that are not directly involved with facilitating the purpose for which the information was originally collected.
The Client shall be informed where their Personal Information is intended to be shared with other divisions or branches of the company and be provided with the purpose of the disclosure.
6.2 Purpose Specification
Zande undertakes to comply with the provisions of the POPI Act and in particular sections 13 and 14.
Zande is to establish a system for information retention and determine maximum retention periods for the following categories of data:
- Heads of departments
- Credit applications
- Credit agreements
Zande must always make mention to clients the reasons or purpose for the information being required.
All of Zande’s business operations must be informed by the principle of transparency.
Personal Information will only be processed for specific and explicitly defined purpose.
6.3 Further Processing Limitation
Personal Information will not be processed for a ulterior purpose unless that processing is compatible with the original purpose.
Where the company seeks to process personal information it holds for a purpose other than the original purpose for which it was originally collected, and where this ulterior purpose is not compatible with the original purpose, the company will first obtain additional consent from the Client.
6.4 Quality of Information
Information accuracy is regulated by section 16 of the POPI Act. Zande will, upon obtaining Client information, establish and verify the accuracy of the information.
The company will take reasonable steps to ensure that all Personal Information collected is complete, accurate and not misleading. Where necessary Zande will establish an information directory system to facilitate data retention, accurate cross-check and referencing such as that of credit bureau checks.
Zande will stablish a method in which information from Clients will, upon being obtained and captured, be verified. The system to be established will be subject to regular maintenance, review and updates.
Where Personal Information is collected or received from third parties, the company will take reasonable steps to confirm that the information is correct.
Zande must fulfil its POPI Act duties to maintain openness in dealing with Clients’ information.
Zande must –
- Mention the purpose for which the information is required
- Give the Client notice of any possible disclosures of such information
- Make Clients aware of their rights with regard to such information
- Formulate a privacy notice applicable to all Zande personnel
The company will take reasonable steps to ensure that Clients are notified that their Personal Information is being collected including the purpose for which it is being collected.
The company will ensure that it establishes and maintains a customer information facility, for instance via its website or through an electronic helpdesk, to enable Clients to:
- Enquire whether the company holds their Personal Information, or
- Request access to Personal Information, or
- Request the company to update or correct the Personal Information, or
- Make a complaint concerning the processing of Personal Information.
6.6 Security Safeguards
Safeguarding of Private Information is regulated in sections 19, 20, 21 and 22 of the POPI Act.
Zande must take reasonable measures to maintain the confidentiality of the information of Clients.
Zande must –
- Regulate access to records containing such information
- Assign personnel with security level access to information with an established hierarchy between users (personnel)
- Maintain, through the Information Officer, all information subject to access when requested.
Security controls will be implemented in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction of Personal Information.
Security measures also need to be applied in a context-sensitive manner. Sensitive Personal Information, such as medical information or credit card details, will receive greater security measures.
The company will continuously review its security controls which will include regular testing of protocols and measures put in place to combat cyber-attacks on the company’s IT network.
The company will ensure that all paper and electronic records comprising Personal Information are securely stored and made accessible only to authorised individuals.
Employees will be required to sign employment contracts containing contractual terms for the use and storage of Client information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of Personal Information for which the company is responsible.
The company’s operators and third-party service providers will be required to enter into service level agreements with the company where both parties pledge their mutual commitment to POPI Act and the lawful processing of any Personal Information pursuant to the agreement.
6.7 Client Participation
A Client may request the correction or deletion of his, her or its Personal Information held by the company.
The company will ensure that it provides a facility for Clients who want to request the correction or deletion of their Personal Information.
Where applicable, the company will include a link to unsubscribe from any of its electronic newsletters or related marketing activities.
- Information Officer and Responsibilities
The Company will appoint an Information Officer and a deputy where necessary.
The office of the Information Officer, upon its establishment, will have the following responsibilities:
- Developing, publishing and maintaining a POPI Policy which addresses all relevant provisions of the POPI Act;
- Reviewing the POPI Act and periodic updates as published;
- Ensuring that POPI Act induction training takes place for all staff;
- Ensuring that periodic communication awareness on POPI Act responsibilities takes place;
- Ensuring that privacy notices for internal and external purposes are developed and published;
- Handling Client access requests;
- Approving unusual or controversial disclosures of personal data;
- Approving contracts with data operators;
- Implementing appropriate policies and controls to ensure the accuracy of Personal Information;
- Ensuring that appropriate security safeguards in line with the POPI Act for Personal Information are in place;
- Handling all aspects of relationship with the regulator as provided for in the POPI Act
- Provide direction to any deputy information officer if and when appointed;
Appointment of the Information Officer is to be done by the appropriate head within the divisions of the company. The office of the Information Officer can be occupied by an individual on an annual basis. The divisional head can decide on who to appoint to the office and how long such party may occupy the office.
- Processing of Information
- Processing of Special Personal Information
Processing of special Personal Information is regulated at sections 26, 27, 28, 29, 30, 31, 32, and 33 of the POPI Act.
Zande has a duty to adhere to applicable provisions of the POPI Act and to formulate policy on the processing of special Personal Information which relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Client. Special Personal Information includes criminal behaviour relating to alleged offences or proceedings dealing with alleged offences. Unless a general authorisation, alternatively a specific authorisation relating to the different types of special Personal Information applies, a responsible party is prohibited from processing special Personal Information.
- Processing of Personal Information of Children
Sections 34 and 35 of POPI Act regulates processing of information relating to children.
Zande is committed to adhering to provisions relating to the handling of special information of children. In terms of the POPI Act children are persons under the age of 18. An age check must be performed by relevant Zande personnel when obtaining Personal Information from Clients. Once it is established, after the age check, that Personal Information is that of a child, general authorisation is strictly required.
A further duty rests with Zande and the office of the Information Officer to comply with the POPI Act and regulations and to develop a system to assess and identify any records in Zande’s database that contains Personal Information of children.
Prior Authorisation, is provided for under POPI Act sections 57, 58 and 59. Zande subscribes to the provisions of the POPI Act and shall comply with the obligations set out therein.
- Direct Marketing, Directories and Automated Decision Making
Direct marketing, directories and automated decision making are regulated at sections 69, 70, and 71 of the POPI Act.
When Personal Information is obtained for the first time from a Client and such information may, in future, be used for any marketing purposes it must be clearly communicated to the Client and the Client must be given a clear opportunity to opt in for future use of the information.
- Data Sharing (Opt-out)
The Client must be informed of this possibility and must be given an opportunity to opt out of future sharing of information.
Where Zande receives Personal Information of Clients from a third-party sharing list, Zande must only accept such list where it can be guaranteed that the list is up to date and Clients on the list have been given an opportunity to opt out.
- Electronic Contact
Whenever email addresses are collected, any future electronic marketing must be identified, and any use of the email address for such marketing is to be made optional.
- Cross-Border Transfer of Personal Information (EU)
Section 72 of POPI Act regulates the transfer of information to parties in foreign countries. Zande shall comply with POPI Act and regulations in order to identify cross border flows of information which contains Personal Information. Transfer of information to parties in foreign countries should be done subject to compliance with the requirements of section 72 of POPI Act. The transfer of the information should among others be :
- subject to consent of the Client,
- be in the interests of the Client, and
- the recipient should be subject to laws adequately governing data processing and transfer.
Any complaints, comments, requests or queries relating to Personal Information or this Policy should be directed to email@example.com